CISA adds JBoss RichFaces Framework flaw to its Known Exploited Vulnerabilities catalog

7 months ago AndyC

CISA adds JBoss RichFaces Framework flaw to its Known Exploited Vulnerabilities catalog

Pierluigi Paganini
September 29, 2023

US CISA added the flaw CVE-2018-14667 in Red Hat JBoss RichFaces Framework to its Known Exploited Vulnerabilities catalo

CISA adds JBoss RichFaces Framework flaw to its Known Exploited Vulnerabilities catalog

CISA adds JBoss RichFaces Framework flaw to its Known Exploited Vulnerabilities catalog

Pierluigi Paganini
September 29, 2023

US CISA added the flaw CVE-2018-14667 in Red Hat JBoss RichFaces Framework to its Known Exploited Vulnerabilities catalog.

US Cybersecurity and Infrastructure Security Agency (CISA) added the critical flaw CVE-2018-14667 (CVSS score 9.8) affecting Red Hat JBoss RichFaces Framework to its Known Exploited Vulnerabilities Catalog.

The issue is an Expression Language (EL) injection via the UserResource resource, it affects RichFaces Framework 3.X through 3.3.4. A remote, unauthenticated attacker could exploit this vulnerability to execute arbitrary code using a chain of java serialized objects via org.ajax4jsf.resource.UserResource$UriData.

The vulnerability was discovered by the security researcher Joao Filho Matos Figueiredo.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this flaw by October 19, 2023.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , , , , , , , , , , , ,

More Stories

Hackers may have accessed thousands of accounts on California state welfare platform

Hackers may have accessed thousands of accounts on California state welfare platform

4 hours ago AndyC
Brokewell supports an extensive set of Device Takeover capabilities

Brokewell supports an extensive set of Device Takeover capabilities

10 hours ago AndyC

Friday Squid Blogging: Searching for the Colossal Squid

22 hours ago AndyC
Experts warn of malware campaign targeting WP-Automatic plugin

Experts warn of malware campaign targeting WP-Automatic plugin

1 day ago AndyC
Cryptocurrencies and cybercrime: A critical intermingling

Cryptocurrencies and cybercrime: A critical intermingling

1 day ago AndyC
Kaiser Permanente data breach may have impacted 13.4 million patients

Kaiser Permanente data breach may have impacted 13.4 million patients

1 day ago AndyC

You may have missed

Hackers may have accessed thousands of accounts on California state welfare platform

Hackers may have accessed thousands of accounts on California state welfare platform

4 hours ago AndyC

Major phishing-as-a-service platform disrupted – Week in security with Tony Anscombe

7 hours ago AndyC
Brokewell supports an extensive set of Device Takeover capabilities

Brokewell supports an extensive set of Device Takeover capabilities

10 hours ago AndyC
Ukraine Targeted in Cyberattack Exploiting 7-Year-Old Microsoft Office Flaw

Ukraine Targeted in Cyberattack Exploiting 7-Year-Old Microsoft Office Flaw

10 hours ago AndyC
Bogus npm Packages Used to Trick Software Developers into Installing Malware

Bogus npm Packages Used to Trick Software Developers into Installing Malware

16 hours ago AndyC

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.